ET
A study at UCSD Health found cybersecurity training had little effect on employees’ susceptibility to simulated phishing attacks.
On average, four groups of employees who received training designed by the researchers had only a 1.7% lower failure rate than employees who had no training.
Employees often didn’t engage with training, spending less than a minute on training pages over 75% of the time.
An artificial-intelligence tool created this summary, which was based on the text of the article and checked by an editor. Read more about how we use artificial intelligence in our journalism.
- A study at UCSD Health found cybersecurity training had little effect on employees’ susceptibility to simulated phishing attacks.View more
Cybersecurity-awareness training might not help employees avoid phishing attacks, a recent study suggests.
The study involved nearly 20,000 employees at UC San Diego Health, a large California healthcare provider, and 10 simulated phishing attacks carried out against those employees over eight months between January and October 2023. UC San Diego Health uses the same cybersecurity-training programs as many organizations around the country.
To gauge the effectiveness of the annual training, the authors looked to see if there was a relationship between failure rates and how recently an employee had taken the training.
Previous studies have shown that people’s security knowledge improves after taking training, but it fades after a few months. Given that, the researchers assumed that participants’ performance on the simulated phishing attacks should follow the same pattern: They should be more likely to fall for the attacks as time passes since they had the training. But in fact, they found that the failure rate stayed pretty much the same no matter how long ago they had the training.
“That suggests the mandatory cyber awareness training did not provide beneficial security knowledge to users,” says Grant Ho, an assistant professor at the University of Chicago and one of the paper’s co-authors. The training might be ineffective for a lot of reasons, he adds. The “content might simply be bad or something all users already know; it could be that the way it communicates or tries to teach the material is ineffective; or it could be that the mandatory online format is something that users inherently will not learn from.”
Different training
To measure the effectiveness of different methods of cybersecurity training, the authors divided employees into four groups. After each attack, each group received a different training method: one received generic tips about avoiding phishing attacks, a second received an interactive Q&A on cybersecurity, a third was informed about the specific methods used in the most recent attack, and the fourth received an interactive Q&A that also included details about the most recent attack. A fifth group was also created, and the employees in that group received no training.
The authors found that on average, employees who received training of any sort had only a 1.7% lower failure rate than employees who had no training.
One reason why the training had so little effect, the authors believe, is that most employees didn’t engage with the training material presented. When employees were directed to a training page they often ignored it. Employees spent less than one minute on the training page for over 75% of the sessions. And many employees closed the page immediately. That happened between 37% and 51% of the time in all four types of training.
“A lot of times when employees click on a training module, one possible reason they leave immediately is because they are checking email or on the web for another purpose,” says Ho.
Interactive Q&A
Training that included an interactive Q&A had more of an effect than other types, but only when the employee completed the Q&A module—and that hardly ever happened. The employees who completed the interactive Q&A were 19% less likely to fail future phishing simulations compared with users who received the interactive training but did not complete any of the sessions. But the authors propose there could be an underlying character difference between employees who chose to complete the training entirely and those who did not.
The study’s takeaway for organizations, says Ho, is to rely on measures other than training, like phishing-detection software that automatically eliminates the need for employees to detect phishing attacks.
“Training as it is commonly deployed,” says Ho, “does not provide sufficient protection from phishing on its own.”
Lisa Ward is a writer in Vermont. She can be reached at reports@wsj.com.
Cybersecurity
Copyright ©2025 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8